---
title: "UK PSTI Product Security PSTI vs CRA Guide"
canonical_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-cra"
source_url: "https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-cra"
author: "Sorena AI"
description: "UK PSTI Product Security guidance for PSTI vs CRA, with practical decisions, evidence, edge cases, and external source citations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "UK PSTI Product Security"
  - "PSTI vs CRA"
  - "UK PSTI Product Security PSTI vs CRA"
  - "compliance checklist"
  - "practical guidance"
  - "Compliance"
  - "Regulatory guidance"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# UK PSTI Product Security PSTI vs CRA Guide

UK PSTI Product Security guidance for PSTI vs CRA, with practical decisions, evidence, edge cases, and external source citations.

*Artifact Guide* *UK* *PSTI vs CRA*

## UK PSTI Product Security PSTI vs CRA

PSTI vs CRA comparisons should be written in operational language: which products are covered, which actor must act, what evidence proves compliance, and which deadline or enforcement route applies.

Use this guide to separate UK PSTI duties from CRA duties for connected products and products with digital elements, then turn the result into owners, records, and next actions. Validate against current legal and policy requirements before implementation.

This page is a side-by-side comparison of UK PSTI and the EU Cyber Resilience Act (CRA). It helps you decide which regime applies to a connected product, what each regime requires, and what evidence and timelines your team should prepare first.

## PSTI vs CRA: practical compliance comparison

Compare PSTI and CRA through scope, actors, triggers, duties, evidence, deadlines, enforcement, and operational decision rules.

- **PSTI**: PSTI is the UK regime for relevant connectable products. Use it to confirm whether the product falls into scope, which actor owes the duty, and which enforcement route or statement of compliance applies.
- **CRA**: CRA is the EU regime for products with digital elements. Use it to test product scope, economic-operator duties, conformity assessment, reporting dates, and whether a notified body may be needed.

| Dimension | PSTI | CRA | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | PSTI: define the relevant connectable product and record the UK scope finding separately from any EU assessment. | CRA: test whether the product with digital elements is in CRA scope, including exclusions and any substantial-modification issues. | Write two separate scope findings first: one for PSTI and one for CRA. Do not reuse a UK scope conclusion as the EU conclusion without checking the CRA text. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Who must act | PSTI: identify the manufacturer, importer, distributor, authorised representative, or UK responsible person that owns the connected-product duty. | CRA: assign the comparator duty to the relevant manufacturer, importer, distributor, authorised representative, notified body, or steward role that the CRA names. | Name each role separately. A supplier can be responsible under one regime and only a supporting party under the other. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Trigger or threshold | PSTI: state the fact that starts the obligation for the UK regime, such as market placement or the regulated role you hold. | CRA: state the CRA trigger separately, such as market placement, classification, reporting event, or conformity-assessment route. | Start with the trigger so teams do not apply the wrong regime to the wrong facts. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Core obligations | The UK PSTI Act requires manufacturers to eliminate universal default passwords, publish a public vulnerability disclosure policy with a contact address, and state the minimum period for which the product will receive security updates before placing it on the UK market. | The EU Cyber Resilience Act requires manufacturers to conduct a cybersecurity risk assessment, implement security-by-design requirements throughout the product lifecycle, provide security updates for the support period, notify ENISA of actively exploited vulnerabilities within 24 hours, and affix CE marking after conformity assessment. | Translate each obligation into the exact deliverable the team must produce, such as a password control, disclosure page, support-period statement, risk assessment, technical file, report, or CE-marked declaration. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Evidence and records | PSTI: keep the evidence that proves the UK decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | CRA: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy the CRA requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together so the UK and EU records do not get mixed into one vague file set. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Timing and cadence | PSTI: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls the UK side. | CRA: track the CRA schedule separately so the 11 June 2026, 11 September 2026, and 11 December 2027 dates are not hidden by the UK workstream. | Use current source dates; do not reuse an older project plan if the regime dates or guidance have moved. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Enforcement or assurance route | PSTI: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to the UK side. | CRA: identify the enforcement or assurance route for the EU side and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when the enforcement routes differ because the UK regulator, EU market-surveillance authority, certification body, customer, or contract counterparty may require different proof. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Overlap and reuse | PSTI: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the EU side; otherwise keep a bridge note. | CRA can reuse evidence from the UK side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |
| Practical decision rule | PSTI: treat this as the controlling workstream when the product is a relevant connectable product and the immediate blocker is a UK security requirement, statement of compliance, or OPSS-facing issue. | CRA: run this workstream when the product has digital elements in EU scope and the immediate blocker is CRA classification, conformity assessment, reporting, or CE-marking readiness. | If only one regime applies, act on that regime first. If both apply, run both workstreams in parallel and keep the evidence files separate. | [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.<br>[Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.<br>[Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.<br>[European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.<br>[Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.<br>[The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence. |

Sources for Scope and covered activity - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Scope and covered activity - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Scope and covered activity - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Who must act - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Who must act - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Who must act - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Trigger or threshold - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Trigger or threshold - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Trigger or threshold - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Core obligations - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Core obligations - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Core obligations - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Evidence and records - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Evidence and records - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Evidence and records - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Timing and cadence - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Timing and cadence - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Timing and cadence - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Enforcement or assurance route - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Enforcement or assurance route - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Enforcement or assurance route - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Overlap and reuse - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Overlap and reuse - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Overlap and reuse - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

Sources for Practical decision rule - PSTI:

- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

Sources for Practical decision rule - CRA:

- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"

Sources for Practical decision rule - operational implication:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - This source supports the operational comparison by showing how UK PSTI enforcement and product-security records differ from EU CRA conformity evidence.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"

### How should teams use the UK PSTI Act vs EU Cyber Resilience Act comparison for connected-product planning?

- Use PSTI first when the product is a relevant connectable product and the immediate question is the UK security duty or OPSS-facing record.
- Use CRA first when the product has digital elements and the immediate question is EU scope, conformity assessment, reporting, or CE-marking readiness.
- If both regimes can apply, keep two workstreams, two scope findings, and two evidence sets so the controls are not blended into one record.
- Escalate overlap cases where the same product, supply chain, or technical evidence may be reused, but only after the source-linked requirements are checked on both sides.

Sources for the practical decision rule:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the comparison decision rule.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Supports the comparison decision rule.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"
- [Guidance](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Supports the comparison decision rule.
  - Quote: "This document provides guidance on regulatory activities, enforcement, and related resources for the Product Security and Telecommunications Infrastructure"
- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"
- [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Supports CRA side of the comparison.
  - Quote: "The government has been working with the tech industry to better secure consumer connectable products for several years"

## How should teams compare PSTI vs CRA under UK PSTI Product Security?

Start by deciding whether the product is a relevant connectable product under PSTI or a product with digital elements under the CRA, then map the responsible actor, obligation, evidence, and timing for each regime separately. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point.

Keep the legal source, product-scope decision, manufacturer/importer/distributor role, statement of compliance, and technical evidence together so PSTI and CRA records can be reviewed without merging two different legal tests.

- Separate the PSTI scope finding from the CRA scope finding before you compare controls.
- Record which role, product, system, customer group, or data flow is in scope for each regime.
- Attach the source-linked rule, the owner, and the evidence field before approving the control.
- Escalate uncertainty when the facts depend on thresholds, exemptions, cross-border placement, substantial modification, or enforcement-sensitive wording.

Sources for this answer:

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Primary source support for the PSTI vs CRA decision.
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Primary source support for the PSTI vs CRA decision.
- [Guidance](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Primary source support for the PSTI vs CRA decision.

## Who should own PSTI vs CRA, and what evidence should prove the decision?

Ownership should sit with the team that controls product design, supply-chain placement, importer/distributor checks, or customer security information, with legal and product-security review.

Evidence should show relevant-connectable-product scope, default-password controls, vulnerability disclosure channel, minimum support period, statement of compliance, supply-chain role checks, and OPSS or market-surveillance response readiness.

- Name one accountable owner and one reviewer for the PSTI vs CRA workflow.
- Keep source screenshots or source links, decision notes, implementation tickets, and approval records together.
- Use dated evidence for deadlines, notices, risk assessments, contracts, user journeys, and regulator-facing records.
- Review the evidence after product changes, new markets, new vendors, enforcement updates, or material changes in the source text.

Sources for this answer:

- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Evidence and ownership support for UK PSTI Product Security.
- [Guidance](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Evidence and ownership support for UK PSTI Product Security.
- [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Evidence and ownership support for UK PSTI Product Security.

*Recommended next step*

*Placement: after the practical guidance*

## Turn UK PSTI Product Security PSTI vs CRA into assigned work

Use this UK PSTI Product Security guide to turn PSTI vs CRA into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena.

- [Open Assessment Autopilot for UK PSTI Product Security](/solutions/assessment.md): Turn PSTI vs CRA into scoped questions, evidence fields, and review tasks.
- [Review UK PSTI Product Security source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material.
- [Talk through UK PSTI vs CRA implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena.

## Primary sources

- [Consumer connectable product security regulations](https://www.gov.uk/government/publications/OPSS-enforcement-enforcement-actions/consumer-connectable-product-security-regulations?ref=sorena.io) - Supports the comparison decision rule.
  - Quote: "enforcement actions taken by OPSS in relation to consumer connectable product security regulations"
- [The UK Product Security and Telecommunications Infrastructure (Product Security) regime](https://www.gov.uk/government/publications/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime?ref=sorena.io) - Supports the comparison decision rule.
  - Quote: "This is a UK government guidance page about the PSTI Product Security regime and compliance requirements"
- [Guidance](https://www.gov.uk/guidance/regulations-consumer-connectable-product-security?ref=sorena.io) - Supports the comparison decision rule.
  - Quote: "This document provides guidance on regulatory activities, enforcement, and related resources for the Product Security and Telecommunications Infrastructure"
- [Regulation of consumer connectable product cyber security](https://www.legislation.gov.uk/ukia/2023/123/pdfs/ukia_20230123_en.pdf?ref=sorena.io) - Supports CRA side of the comparison.
  - Quote: "The government has been working with the tech industry to better secure consumer connectable products for several years"
- [THE PRODUCT SECURITY AND TELECOMMUNICATIONS INFRASTRUCTURE (SECURITY REQUIREMENTS FOR RELEVANT CONNECTABLE PRODUCTS) REGULATIONS 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - Supports PSTI vs CRA under UK PSTI Product Security.
  - Quote: "security requirements for relevant connectable products"
- [Product Security and Telecommunications Infrastructure Act 2022](https://www.legislation.gov.uk/ukpga/2022/46/contents?ref=sorena.io) - Primary UK PSTI Act source for connected product security duties.
  - Quote: "Product Security and Telecommunications Infrastructure Act 2022"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/contents?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"
- [Cyber Resilience Act](https://data.europa.eu/eli/reg/2024/2847/oj?ref=sorena.io) - Official EU Cyber Resilience Act text for products with digital elements, economic-operator duties, conformity assessment, and market-surveillance obligations.
  - Quote: "horizontal cybersecurity requirements for products with digital elements"
- [European Commission CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary?ref=sorena.io) - European Commission overview confirming CRA scope, product security obligations, and timing for comparison against UK PSTI.
  - Quote: "Products with digital elements that have been placed on the market before 11 December 2027"
- [Product Security and Telecommunications Infrastructure security requirements regulations 2023](https://www.legislation.gov.uk/uksi/2023/1007/pdfs/uksiem_20231007_en_001.pdf?ref=sorena.io) - UK PSTI security requirements regulations for relevant connectable products.
  - Quote: "security requirements for relevant connectable products"

## Related Topic Guides

- [UK PSTI Act relevant connectable products: full scope and category definitions](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-products-scope.md): UK PSTI Product Security guidance for Relevant Connectable Products Scope, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Act statement of compliance: evidence requirements and audit documentation](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-and-evidence.md): UK PSTI Product Security guidance for Statement Of Compliance And Evidence, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Act statement of compliance: what must the SoC contain?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance.md): UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Act: is your product a relevant connectable product? scope test](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/relevant-connectable-product-scope.md): UK PSTI Product Security guidance for Relevant Connectable Product Scope, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Act: step-by-step statement of compliance preparation workflow](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/statement-of-compliance-workflow.md): UK PSTI Product Security guidance for Statement Of Compliance Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Act: step-by-step vulnerability disclosure process workflow](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-workflow.md): UK PSTI Product Security guidance for Vulnerability Disclosure Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Act: vulnerability disclosure policy requirements and template](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/vulnerability-disclosure-policy.md): UK PSTI Product Security guidance for Vulnerability Disclosure Policy, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Default Password Requirements](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/default-password-requirements.md): A source-linked guide to the UK PSTI default password rule for consumer connectable products: unique passwords, user-defined setup, prohibited patterns, and evidence to keep.
- [UK PSTI Product Security Applicability Test Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/applicability-test.md): Practical guidance for the UK PSTI Product Security applicability test, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Checklist](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/checklist.md): Practical guidance for the UK PSTI Product Security checklist, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Compliance Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/compliance.md): Practical guidance for the UK PSTI Product Security compliance, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Deadlines and Compliance Calendar Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/deadlines-and-compliance-calendar.md): UK PSTI Product Security guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security ETSI Evidence Mapping Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/etsi-evidence-mapping.md): UK PSTI Product Security guidance for ETSI Evidence Mapping, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security FAQ](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq.md): Practical guidance for the UK PSTI Product Security FAQ, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Importer And Distributor Duties Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/importer-and-distributor-duties.md): UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Minimum Support Period And Update Transparency Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/minimum-support-period-and-update-transparency.md): UK PSTI Product Security guidance for Minimum Support Period And Update Transparency, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security OPSS Enforcement and Penalties Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-enforcement-and-penalties.md): UK PSTI Product Security guidance for OPSS enforcement and penalties, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security OPSS Notices Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/opss-notices.md): UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security penalties and fines Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/penalties-and-fines.md): UK PSTI Product Security guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security PSTI Password And Update Policy Requirements Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-password-and-update-policy-requirements.md): UK PSTI Product Security guidance for PSTI Password And Update Policy Requirements, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security PSTI Scope Classifier Workflow Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-scope-classifier-workflow.md): UK PSTI Product Security guidance for PSTI Scope Classifier Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security PSTI Statement Of Compliance Template Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-statement-of-compliance-template.md): UK PSTI Product Security guidance for PSTI Statement Of Compliance Template, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security PSTI vs ETSI EN 303 645 Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-etsi-en-303-645.md): UK PSTI Product Security guidance for PSTI vs ETSI EN 303 645, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security PSTI vs EU Cyber Resilience Act Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-eu-cyber-resilience-act.md): UK PSTI Product Security guidance for PSTI vs EU Cyber Resilience Act, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Requirements Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/requirements.md): Practical guidance for the UK PSTI Product Security requirements, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Requirements In Practice Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/security-requirements-in-practice.md): UK PSTI Product Security guidance for Security Requirements In Practice, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Supply Chain Roles Manufacturer Importer Distributor Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/supply-chain-roles-manufacturer-importer-distributor.md): UK PSTI Product Security guidance for Supply Chain Roles Manufacturer Importer Distributor, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI Product Security Support Period Evidence Workflow Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/support-period-evidence-workflow.md): UK PSTI Product Security guidance for Support Period Evidence Workflow, with practical decisions, evidence, edge cases, and external source citations.
- [UK PSTI vs Australia Cyber Security Act Guide](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-australia-cyber-security-act.md): UK PSTI Product Security guidance for PSTI vs Australia Cyber Security Act, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Default Passwords under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/default-passwords.md): UK PSTI Product Security guidance for Default Passwords, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about ETSI Evidence under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/etsi-evidence.md): UK PSTI Product Security guidance for ETSI Evidence, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Excepted Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/excepted-products.md): UK PSTI Product Security guidance for Excepted Products, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Importer And Distributor Duties under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/importer-and-distributor-duties.md): UK PSTI Product Security guidance for Importer And Distributor Duties, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about OPSS Notices under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/opss-notices.md): UK PSTI Product Security guidance for OPSS Notices, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Relevant Connectable Products under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/relevant-connectable-products.md): UK PSTI Product Security guidance for Relevant Connectable Products, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Statement Of Compliance under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/statement-of-compliance.md): UK PSTI Product Security guidance for Statement Of Compliance, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Support Periods under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/support-periods.md): UK PSTI Product Security guidance for Support Periods, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Update Transparency under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/update-transparency.md): UK PSTI Product Security guidance for Update Transparency, with practical decisions, evidence, edge cases, and external source citations.
- [What should teams do about Vulnerability Disclosure under UK PSTI Product Security?](/artifacts/uk/product-security-and-telecommunications-infrastructure-act/faq/vulnerability-disclosure.md): UK PSTI Product Security guidance for Vulnerability Disclosure, with practical decisions, evidence, edge cases, and external source citations.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/uk/product-security-and-telecommunications-infrastructure-act/psti-vs-cra